Carpe Diem: Flaphead.com

Exchange 2003 Microsoft Server ActiveSync and VSAPI

I have seen a few issue related to this so I thought it would explain some stuff!

In "Exchange VSAPI" there are really 3 ways a message item can be scanned in the Information Store.

1. Proactive Scan
   This scan occurs as an item is written to the store. (Can be enabled or disable via an Exchange registry key value)
2. On Access
   This scan occurs if an item already in the Information Store is accessed and it is not stamped with the current ScanID number held by VSAPI. (This cannot be disabled)
3. Background Scan
   This is an entire sweep of the Information Store scanning all items that are not scanned with the current ScanID number held by VSAPI. (Can be enabled or disable via an Exchange registry key value)

Now each time a message is scanned it is tagged with a number (lets call it a ScanID) by VSAPI. This number is passed to VSAPI by your Exchange aware AV Software … So your AV software sets this ScanID number but VSAPI requires it and uses it.

The ScanID number is incremented when a AV engine definition is updated or when ScanJob settings are changed within your AV software. When a message inside the Information Store is not stamped with the most current current ScanID number this is likely to invoke a On Access rescan when somebody or something accesses it.

Now the problem with ActiveSync.......ActiveSync will skip the synchronisation of items that require an On Access Scan. This is described in this KB:  827615 Server ActiveSync does not download all items during a synchronisation session <http://support.microsoft.com/default.aspx?scid=kb;en-us;827615 >

In this KB it suggests “To work around this behaviour, turn on background scanning and proactive scanning in the anti-virus software on your Exchange 2000 or Exchange 2003 computer” essentially this so that all messages in the Information Store maintain the latest ScanID.

The average AV software installation probably changes ScanID number about 2 -3 times a day depending on the number of vendor engines and changing definitions. This means the change in ScanID is far too frequent for Background Scanning to keep all messages in the Information Store up to date with the latest ScanID, particularly in a large Information Store that will take a long time for a background scan to complete.

There are some possibilities within AV Software to get around this situation:

1.  Make sure background scans are happening all the time. This can be done by enabling background scans to kick in whenever the ScanID changes.
2. Configure your AV software (if possible) so it does not change the ScanID number when AV engine definition changes are made or when Scan Job configuration changes are made. This will essentially fix the ScanID at a constant value. Obviously this lowers the protection level in the Information Store because once an item is scanned once and stamped with the Scan ID it will never be scanned again. This should solve the message synchronisation problem - but it is a workaround only and no means a fix.  You would talk to you AV software vendor about this first

Now a hotfix does exist that “might” fix this issue.  In 50% of cases I have seen it work, but that still leaves 50%.  The Hotfix is from 894065 Exchange ActiveSync cannot synchronise items in a store when the virus scanner on the Exchange Server 2003 server is configured not to scan that store <http://support.microsoft.com/default.aspx?scid=kb;en-us;894065>

What I don’t know is if Exchange 2003 SP2 will fix this issue (I don’t think it does). 

If the hotfix doesn’t work for you, then I’m afraid you will have to let background scanning do it’s work.  I also don’t know how AUTD in Exchange 2003 SP2 is going to be affected AND why it doesn’t affect everyone only some people .. maybe I'll get some more answers soon!